spamd in a cloud setup?
Dear folks, OpenBSD's spamd is a network level spam filter and consequently we need the MX records to point to spamd before it hits our mail server thereby achieving bandwidth protection as well as spam protection. This is really fantastic. Now the issue is this. Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? I hope the question makes sense. Sorry for sounding confusing. -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
Re: spamd in a cloud setup?
On Wed, 29 Dec 2010 16:22:33 +0530 Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Dear folks, OpenBSD's spamd is a network level spam filter and consequently we need the MX records to point to spamd before it hits our mail server thereby achieving bandwidth protection as well as spam protection. This is really fantastic. Now the issue is this. Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? I hope the question makes sense. Sorry for sounding confusing. don't see the problem, setup your mx records for all your zones to something like: IN MX 10 mail mailIN A 192.168.0.1 then make spamd listen on the address, and you're done. -- With best regards, Gregory Edigarov
Re: spamd in a cloud setup?
On 29 December 2010 22:35, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Wed, 29 Dec 2010 16:22:33 +0530 Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Dear folks, OpenBSD's spamd is a network level spam filter and consequently we need the MX records to point to spamd before it hits our mail server thereby achieving bandwidth protection as well as spam protection. This is really fantastic. Now the issue is this. Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? I hope the question makes sense. Sorry for sounding confusing. don't see the problem, setup your mx records for all your zones to something like: IN MX 10 mail mailIN A 192.168.0.1 then make spamd listen on the address, and you're done. -- With best regards, Gregory Edigarov This raises the PTR problem. Only one of those domains is going to have records that match forward and reverse? If not, some anti-SPAM gateways will drop. Shane
Re: spamd in a cloud setup?
On 29 December 2010 22:47, SJP Lists sjp.li...@flashbsd.net wrote: On 29 December 2010 22:35, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Wed, 29 Dec 2010 16:22:33 +0530 Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Dear folks, OpenBSD's spamd is a network level spam filter and consequently we need the MX records to point to spamd before it hits our mail server thereby achieving bandwidth protection as well as spam protection. This is really fantastic. Now the issue is this. Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? I hope the question makes sense. Sorry for sounding confusing. don't see the problem, setup your mx records for all your zones to something like: IN MX 10 mail mailIN A 192.168.0.1 then make spamd listen on the address, and you're done. -- With best regards, Gregory Edigarov This raises the PTR problem. Only one of those domains is going to have records that match forward and reverse? If not, some anti-SPAM gateways will drop. Sorry, what I meant to say, is If so, some anti-SPAM gateways will drop connections that don't match forward and reverse.
Re: spamd in a cloud setup?
On Wed, Dec 29, 2010 at 10:47:11PM +1100, SJP Lists wrote: | This raises the PTR problem. | | Only one of those domains is going to have records that match forward | and reverse? If not, some anti-SPAM gateways will drop. How so ? a.example.com. IN MX 10 mx.example.com. b.example.com. IN MX 10 mx.example.com. c.example.com. IN MX 10 mx.example.com. d.example.com. IN MX 10 mx.example.com. mx.example.com. IN A 192.0.2.1 mx.example.com. IN 2001:db8::1 1.2.0.192.in-addr.arpa. IN PTR mx.example.com. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR mx.example.com. Why does your MX have to live in the same zone as what it's MX'ing for ? Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: spamd in a cloud setup?
Girish Venkatachalam girishvenkatacha...@gmail.com writes: Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? You've tried to solve the lack of IP addresses problem by running SMTP servers on alternative ports on the same host. If shortage of IP addresses is the hardest problem to solve, it's probably easier to make a working setup if you go for virtual domains (search for $yourMTA virtual domains). That said, running spamd in front of hundreds of different boxes all doing their own SMTP stuff is very doable too, if you have enough routable IP addresses. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd in a cloud setup?
SJP Lists sjp.li...@flashbsd.net writes: Only one of those domains is going to have records that match forward and reverse? If not, some anti-SPAM gateways will drop. That would only be much of a problem if the outbound mail server is the same as the MX. The two do not need to be identical. Then again, geeks like us are the only ones who ever do a $ dig domain.com mx and there's no real embarrasment in having your domain's mail handled elsewhere. I'd take several domains with identical MX records any day over outgoing SMTP without proper reverse lookup. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd in a cloud setup?
* Girish Venkatachalam girishvenkatacha...@gmail.com [2010-12-29 11:52]: Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? either you're not telling us something or have a misunderstanding or i dunno. why do the mx records for different domains have to be different? domain1 MX 10 a.mx.isp.com domain1 MX 20 b.mx.isp.com domain1 MX 30 c.mx.isp.com domain2 MX 10 a.mx.isp.com domain2 MX 20 b.mx.isp.com domain2 MX 30 c.mx.isp.com domain3 MX 10 a.mx.isp.com domain3 MX 20 b.mx.isp.com domain3 MX 30 c.mx.isp.com i run mailservers for hundreds or thousands (too lazy to check atm) domains that way. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: spamd in a cloud setup?
On Wednesday, 29 December 2010, Paul de Weerd we...@weirdnet.nl wrote: On Wed, Dec 29, 2010 at 10:47:11PM +1100, SJP Lists wrote: | This raises the PTR problem. | | Only one of those domains is going to have records that match forward | and reverse? If not, some anti-SPAM gateways will drop. How so ? a.example.com. IN MX 10 mx.example.com. b.example.com. IN MX 10 mx.example.com. c.example.com. IN MX 10 mx.example.com. d.example.com. IN MX 10 mx.example.com. mx.example.com. IN A 192.0.2.1 mx.example.com. IN 2001:db8::1 1.2.0.192.in-addr.arpa. IN PTR mx.example.com. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR mx.example.com. Why does your MX have to live in the same zone as what it's MX'ing for ? Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ Ah yes, true. Spoke too soon! Appologies!